Host Integrity Check for Endpoint and Network Security

July 29, 2009

This article gives an introduction to Host Integrity Check mechanism that enables enterprises to enforce the connectivity of their endpoints (Laptops/Desktops) only if they comply to the security policies of the network (Like latest patches, signature updates etc), the components of such a solution, host integrity check for managed, unmanaged and unmanageable endpoints, challenges for deploying host integrity check applications.Prevention is better than cure. This applies to network security too. It is not only imperative for companies to secure their endpoints/networks with Anti-Virus, Anti-Spyware, Anti-Spam technologies, but they also need to ensure that the endpoints are always running the latest versions of those technologies. Anti-Virus updates might be frequently sent from the vendor companies, but for some reason if the employee doesn’t update to the latest version, their desktop/laptop could be under threat of infection and consequently, the whole network.

Host Integrity Check:

Host integrity check is a methodology by which any laptop/desktop/endpoint connecting to the network of a company is compulsorily checked for the latest patches/ security signature updates before allowing them to connect to the network. If the endpoints do not comply, they need to be put in to a separate quarantine/ VLAN, steps be taken automatically for their up-gradation and then they need to be allowed to connect to the network.

Components of a Host Integrity Check solution:

Generally, host integrity check consist of a Server appliance and Policy management tools to configure the policies on which parameters to check before allowing the device to connect to the network. This also enables the company to check for host integrity in a centralized fashion for all enterprise devices. The server/policies integrates with Anti-virus/Anti-Spyware, Radius/LDAP/AD, Firewalls, Network Switches, NAC appliances, VPN solutions, Wireless controllers, access points etc. as the requirement may be. It is better if all the devices including the ones that connect over the wireless network, un-manageable devices like VOIP phones, Voice over wireless LAN clients etc. are all brought under a single umbrella of policy definition and management and applied various levels of host integrity check.

In addition to the server appliance, there are also the local agents, web agents, remote agents etc. which work along with the server appliance, but are on the client devices to ensure that the client is updated with the latest security patches and signature updates. These agents might be permanently placed on the enterprise desktops/ laptops (local agents), temporarily inducted for guest access (temporary agents), made to work only if certain actions are taken – like a browser being opened, etc (web agents) or enables the monitoring of remote stations (remote agents).

Host Integrity Check for Managed endpoints:

Managed endpoints are those laptops/desktops owned and managed by the company. When these devices join the network, the local agent in them communicates with the host integrity checking server if they have the latest patches and signature updates. If they do, then they are allowed to connect to the network. If they don’t, they are sent for quarantine and applied the required patches and then allowed to connect to the network. So far, so good.

Host Integrity Check for Unmanaged endpoints:

But what if, there are certain laptops (like guest/contractor etc) that needs to connect to the network? Well, as soon as they connect to the network, the server appliance launches a temporary agent on to them to check for the OS version, update version, presence of anti-virus, anti-spyware agents etc according to separate policies for these unmanaged endpoints. These policies might be different from the ones for managed endpoints. But the IT support team needs to determine what to do in case these laptops do not have the required security settings. There are two options: Deny them the access to the network or update them with the required security softwares. This depends on the IT policy that is employed by a company.

Host Integrity Check for Unmanageable endpoints:

There are always certain endpoints that cannot be managed – those that cannot download an anti-virus package, for example. A lot of devices like IP Phones, IP cameras, Voice Over Wireless LAN Phones, PDA’s that run unique OS etc. Even these devices are susceptible to malware infections. It is better to place these devices in a special role/ VLAN that blocks and allows certain kind of traffic only. For example, the IP phones could be enabled to send and receive only SIP based traffic and not http based traffic. For this, strict integration with Network Access Control devices is required. For the wireless clients, the wireless controller needs to integrate with the host integrity check server and NAC policies. Certain wireless networking vendors support this. There is also a second option: Allow these devices to connect to the network, but scan for virus/spyware for the traffic sent to/from them at the gateway level.

Challenges:

¤ Host integrity check is seldom a stand alone application. It is integrated with the firewalls, IDS, VPN or NAC solutions. So, their scalability is always limited to the appliance that supports it. They also need to be scalable to different types of endpoints like laptops, desktops, wireless clients, VOIP handsets, PDA’s etc.
¤ Securing unmanaged and unmanageable endpoints is always going to be tough as each case might be unique. Applying centralized policies and grouping such endpoints will be a challenge.
¤ Employees/Contractors might always complain of loss of productivity – time/efforts etc. This is indeed a serious problem, and a security initiative should not prevent employees from being efficient.
¤ Integration with a lot of third party tools like radius server/ LDAP server, Anti-Virus/ Anti-Spy-ware engines, Network switches/NAC appliances/ Firewalls, Wireless Controllers etc. will always pose a significant challenge, especially in multi-vendor environments, which is always the case.

excITingIP.com

You can stay up to date on the various computer networking technologies by subscribing to this blog with your email address in the sidebar box that says ‘Get email updates when new articles are published’

Pingback:

Many vendors that offer host integrity checking features as part of their solutions do so via embedding OESIS Framework from OPSWAT. OESIS Framework provides a uniform development interface to detect, assess and lightly manage most endpoint security applications (e.g. Antivirus, Antisypware, personal firewalls, back-up clients, hard disk encryption clients, etc.) in the market.
The Framework is expanding to provide a uniform interface to manage many other applications that bear on security such as P2P clients, browsers, desktop sharing applications, desktop virtualization apps, etc.